We purchased these phones and immediately installed GrapheneOS on them. We have also generally stuck to running open-source software on them, although we do run a few proprietary apps, primarily in their own profiles.
Google Play Services
The Transmit profile has Grapheneโs sandboxed Google Play Services and Store installed because the app will not work without them and the alternatives are sub-par.
App Stores
I have installed F-Droid and Aurora Store (a privacy-focused alternative to the Google Play Store). I primarily look for apps on F-Droid, but if I have no suitable alternatives, I may download an app from the Aurora Store. I use this rather than downloading APKs directly for a couple of reasons:
- Aurora gives me updating
- I can trust the source more than some random APK download link
VPN
I tried using AirVPNโs Eddie client on the phone, but it was very unstable. Once connected, it was fine, but it often took several crashes before the VPN would connect. Iโve switched to the Wireguard app and scanned QR codes from the AirVPN config generator to add my favorite servers.
Lockscreen
Widgets on the lockscreen are created with the Lockscreen Widgets app.
Camera
The camera can be opened by double-clicking the power button.
FindMyDevice (FMD)
This can be accessed either from my self-hosted FMD front-end or from pre-defined contacts via SMS. For my phone, I have allowed Tiffanyโs phone, my momโs phone, and Ambriaโs phone. For Tiffanyโs phone, she has allowed my phone and Ambriaโs phone. This means that the SMS remote usage via the app can only be actuated through one of these phone numbers or through the connected self-hosted front-end.
Commands
To use commands via text message, you will text the trigger word (ours is findmydevice) followed by a command to the phone running the app from an allowed phone number.
bluetooth [on|off]camera [front|back]delete <deletepin> [dryrun]gps [on|off]locate [last|all|cell|gps]lock [msg]nodisturb [on|off]ring [long|<durationsec>]ringermode [normal|vibrate|silent]statshelp
The delete PINs are stored in 1Password.
ntfy
The ntfy app is running connected to a ntfy instance on the home server to facilitate notifications from the server. It must be left in place to avoid disrupting communication with the server.
Server-side
For more information on the server-side infrastructure, see FindMyDevice on Homelab.
Procedures
Managing profiles
From the control center (pull down from top), pull down again to open the second level of control center. Then, you will have a profile button in the bottom right.
You may also manage through settings in System > Users.
Downloading proprietary apps
When I download a proprietary app, I want to first evaluate whether it should be isolated. By default, it should. It only gets installed in the main owner profile if either I trust the vendor. Any app needing Google Play services also get installed in the private space since those are not available in the main segment of the owner profile.
Once I have decided to install the app, I will use the appropriate app store installed in the private profile (accessed by pulling up the app drawer, scrolling to the bottom to find the private space, and unlocking if necessary.) When browsing the app store, the key should be displayed in the top menu bar to indicate that the store is running inside the private space.
Once an app is installed in this way, it will be accessible from the bottom private space section of the app drawer.
Apps requiring the disabling of Graphene exploit mitigations should always be installed in a completely separate profile to avoid compromising security and privacy in general phone usage.